Most people know their passwords are weak. They use the same one everywhere, it contains a memorable word, and there might be a number and exclamation mark at the end. The reason is simple: strong passwords are hard to remember. This guide explains what actually makes a password strong, the mistakes that undermine most people's security, and how to generate genuinely secure passwords in seconds — without having to remember any of them.
Password strength comes down to three factors, in order of importance:
Character complexity (mixing uppercase, lowercase, numbers, symbols) helps but matters far less than length and randomness. A 25-character lowercase-only random string is stronger than a 10-character password with every character type.
Using a word with substitutions. "P@ssw0rd" is one of the first things a dictionary attack tries. Attackers use lists of common words with predictable character substitutions baked in (@ for a, 0 for o, 3 for e).
Using personal information. Your name, birthday, pet's name, or hometown are discoverable from social media in minutes. Targeted attacks try these first.
Adding numbers and symbols only at the end. "Sunshine23!" follows a pattern that password crackers specifically model: word + digits + symbol.
Using the same password across sites. Data breaches happen constantly. The HaveIBeenPwned database holds billions of leaked credentials. If you reuse a password and that site is breached, your email and password combination will be tested against banking sites, email providers, and social media automatically.
Making passwords too short. An 8-character password can be cracked in hours with modern hardware. 12 characters raises that to years; 16+ characters with mixed types is practically uncrackable by brute force.
There is a genuine tension here. A secure password is random, which makes it inherently hard to memorise. A memorable password uses meaningful words or patterns, which makes it weaker.
The resolution is a password manager. You create one very strong master password (which you memorise), and the manager generates and stores a unique 20-character random password for every site. You never type those site passwords — you just click to fill them. This approach gives you both: one memorable password and unlimited secure unique ones.
If you are not ready for a full password manager, a pragmatic alternative is a passphrase: four or five random unrelated words strung together, like "correct-horse-battery-staple". This is long (30+ characters), random enough to be strong, and possible to memorise. The key is that the words must be truly random, not a phrase you would naturally construct.
Criply's password generator uses the browser's cryptographic random number generator — the same standard used by password managers — never the weaker Math.random(). To generate a strong password:
The generator also lets you exclude ambiguous characters (0/O, 1/l/I) if you need to type the password manually, and you can generate multiple passwords at once for seeding a new password manager setup.
Yes, for most people. The practical argument: the alternative to a password manager is either using the same weak password everywhere (bad for security) or writing passwords down (bad for security). Password managers are designed specifically to solve this problem. Reputable options include Bitwarden (free, open-source), 1Password, and the password managers built into browsers (Chrome, Safari, Firefox), which are usable though less portable across devices.
The one password worth genuinely memorising and making very strong is the master password to your password manager — or your primary email account password, since email is the key that unlocks password resets everywhere else.
7 practical ways to work with PDFs faster. Free, instant download.
Use our free Password Generator tool — works in your browser, nothing to install.
Password Generator — Free